CVE-2024-40711

CRITICAL KEV RANSOMWARE NUCLEI

Veeam Backup & Replication 12.0.0.1420 through 12.2.0.334 - Deserialization RCE

Title source: llm

Exploitation Summary

CVE-2024-40711 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 17, 2024, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including watchtowrlabs, realstatus. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2024-40711, leveraging .NET deserialization to achieve remote code execution (RCE) via a crafted payload. The exploit includes multiple payload options, such as file creation, command execution, and a web shell deployment mechanism.

Description

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

Exploits (2)

nomisec WORKING POC 55 stars

by watchtowrlabs · remote

https://github.com/watchtowrlabs/CVE-2024-40711

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2024-40711, leveraging .NET deserialization to achieve remote code execution (RCE) via a crafted payload. The exploit includes multiple payload options, such as file creation, command execution, and a web shell deployment mechanism.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft .NET Framework (specific version not specified)

No auth needed

Prerequisites: Vulnerable .NET application with deserialization flaw · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 42 stars

by realstatus · poc

https://github.com/realstatus/CVE-2024-40711-Exp

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-40711, demonstrating a .NET deserialization vulnerability that allows remote code execution (RCE) via a crafted payload. The exploit includes a webshell deployment mechanism and leverages ysoserial-like gadgets for payload generation.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Microsoft .NET Framework (specific version not specified)

No auth needed

Prerequisites: Access to a vulnerable .NET application with deserialization of untrusted data · Ability to send crafted serialized payloads to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Veeam Backup & Replication - Unauthenticated

CRITICALVERIFIEDby rootxharsh,iamnoooob,DhiyaneshDK

Shodan: html:"Veeam Backup"

References (3)

Core 3

Core References

Vendor Advisory

https://www.veeam.com/kb4649

Exploit, Third Party Advisory

https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40711

Scores

CVSS v3 9.8

EPSS 0.8819

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-10-17

VulnCheck KEV 2024-04-23

InTheWild.io 2024-10-17

ENISA EUVD EUVD-2024-38578

Ransomware Use Confirmed

CWE

CWE-502

Status published

Products (1)

veeam/veeam_backup_\&_replication 12.0.0.1420 - 12.2.0.334

Published Sep 07, 2024

KEV Added Oct 17, 2024

Tracked Since Feb 18, 2026